Ransomware Attack Affects 16,000 Mind & Motion Patients

by Ryan Coyne | Dec 24, 2018

Following the installation of ransomware and malware on a server belonging to Mind & Motion Developmental Centers of Georgia, it has been revealed that the group responsible which may have been able to access to 16,000 patients protected health information.

The ransomware was installed and implemented on a server housing Mind & Motion medical records. The range of data that was possibly compromised includes names, addresses, birth dates, patients’ gender, medical histories, medical diagnoses, health insurance data and Social Security details. Medical records may also have been compromised due to the attack.

Mind & Motion noticed the ransomware attack on September 30, 2018. An IT vendor, TeamLogic IT, was hired to review the breach, deduce how the attack occurred and help rescue data that had been made inaccessible by the ransomware.

Along with the ransomware infection, TeamLogic IT discovered an disabled keylogger and a spam emailer on the server. All malware was completely erased and associated accounts were deleted. TeamLogic IT did not find any proof to suggest any of the installed malware had been used to view patient financial information or its scheduling and electronic billing databases.

Since the attack was found, Mind & Motion has not been contacted with reports from patients to suggest that any of their PHI has been stolen and improperly used. The attack is thought to have been carried out with the aim of extorting money from Mind & Motion. Thus, it is felt that patients are not like to suffer any negative effects from the attack.

Following guidance from a third party IT vendor, Mind & Motion has reset all passwords and put in place controls to ensure complex passwords are established on all accounts going forward. A policy has also been brought in to force users to change passwords more often. Computers and servers have professional anti-malware solutions included and will be constantly scanned. Mind & Motion has also applied encryption on all its computers and the latest anti-spam technology has been enabled to safeguard against phishing attacks.

Soon after the breach was found, Mind and Motion contracted a compliance consulting firm to make sure that all obligations of HIPAA were met. The consulting firm will be providing additional HIPAA compliance training to all staff within 30 days.

A breach report was filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) on November 30, 2018 and all impacted patients have been alerted regarding the breach by mail. The OCR breach report states that almost 16,000 patient records were possibly impacted.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter